Jeremiah Grossman and I were able to get a proof of concept
working based off of Kurt's work that actually runs a simple piece of
JavaScript in IE, without using open or close angle brackets. Here's
the link to the post:

http://ha.ckers.org/blog/20060621/us-ascii-xss-part-2/

I concur that it would be very likely that this would pass
through almost all the content filters known to date, although the
liklihood of exploit is fairly low for any given websites, given the
encoding needed (US-ASCII). This is more relevant to perhaps injecting
JavaScript from remote locations by which you have control and bypassing
AV or content filtering products that otherwise would restrict malicious
JavaScript.